OSX/PWS-Corpref is a password stealing trojan that targets Apple Macintosh OS X (MacOS X) users that masquerade to be a poker game program.
When run, it executes AppleScript to display a message to report a "corruption" in the program and prompts the user for the administrator password to "fix" it. In MacOS X, it is typical for the user to be asked for a password to perform any administrator tasks.
The trojan verifies the password by running the "id" system command to verify it has the administrator user ID. When unsuccessful, it prompts the user to enter the right password:
When successful, OSX/PWS-Corpref can modify system files and configurations with administrator (sudo) permissions. One of the following files can be changed to enable remote login service (SSH) on the infected MacOS X machine:
- /System/Library/LaunchDaemons/ssh.plist (MacOS X 10.4 and 10.5)
- /private/etc/xinetd.d/ssh (MacOS X 10.3)
- /etc/hostconfig (MacOS X 10.2)
It follows that the password hashes are dumped into a file which is sent via e-mail to the malware author along with the user name, password and IP address using the following web server: